Re: [whatwg] Proposal: Write-only submittable form-associated controls.

On Wed, Oct 15, 2014 at 6:10 PM, Tab Atkins Jr. <jackalmage@gmail.com>
wrote:

>
> Nothing in-band will work, because the attacker can replace arbitrary
> amounts of the page if they're loaded as an in-page script.  It's
> gotta be *temporally* isolated - either something out-of-band like a
> response header, or something that has no effect by the time scripts
> run, like a <meta> that is only read during initial parsing.
>

Yes. Hence the CSP directive portion of the proposal.

The inline attribute is useful for the specific password manager case I'm
concentrating on, as it gives us a clear indication that the site doesn't
intend to do wacky manipulation of its credentials on the fly. We can use
this to determine how and when the password manager (or credit card
autofill, or whatever) ought to refuse to expose information to the
renderer.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Wednesday, 15 October 2014 16:44:18 UTC